Add RequestForgerySanitizer

atorralba · atorralba · commit 3ec2c1308ef5 · 2021-06-17T14:58:27.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.ql b/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.ql
@@ -13,6 +13,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.RequestForgeryConfig
 import semmle.code.java.security.UnsafeAndroidAccess
 import DataFlow::PathGraph
 
@@ -25,6 +26,10 @@ class FetchUntrustedResourceConfiguration extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof RequestForgerySanitizer
+  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, FetchUntrustedResourceConfiguration conf
diff --git a/java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccess.java b/java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccess.java
@@ -147,6 +147,6 @@ public boolean shouldOverrideUrlLoading(WebView view, String url) {
 
 		String thisUrl = getIntent().getStringExtra("url");
 		// This should be considered safe - the query lacks a proper sanitizer for partial URLs.
-		wv.loadUrl("https://www.mycorp.com/" + thisUrl); // $ SPURIOUS: hasUnsafeAndroidAccess
+		wv.loadUrl("https://www.mycorp.com/" + thisUrl);
 	}
 }
diff --git a/java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccessTest.ql b/java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccessTest.ql
@@ -1,15 +1,20 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
-import TestUtilities.InlineExpectationsTest
+import semmle.code.java.security.RequestForgeryConfig
 import semmle.code.java.security.UnsafeAndroidAccess
+import TestUtilities.InlineExpectationsTest
 
 class Conf extends TaintTracking::Configuration {
   Conf() { this = "qltest:cwe:unsafe-android-access" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof RequestForgerySanitizer
+  }
 }
 
 class UnsafeAndroidAccessTest extends InlineExpectationsTest {

Original file line number	Diff line number	Diff line change
`@@ -147,6 +147,6 @@ public boolean shouldOverrideUrlLoading(WebView view, String url) {`
`147`	`147`
`148`	`148`	`String thisUrl = getIntent().getStringExtra("url");`
`149`	`149`	`// This should be considered safe - the query lacks a proper sanitizer for partial URLs.`
`150`		`- wv.loadUrl("https://www.mycorp.com/" + thisUrl); // $ SPURIOUS: hasUnsafeAndroidAccess`
	`150`	`+ wv.loadUrl("https://www.mycorp.com/" + thisUrl);`
`151`	`151`	`}`
`152`	`152`	`}`